How Security is Checked for Remotely Initiated TCP/IP Transfers

Document ID : KB000027856
Last Modified Date : 14/02/2018
Show Technical Document Details

Security checking for remotely initiated TCP/IP transfers depends on how the XCOM TCP/IP server (XCOMSRVR) is started. If it is started with a user profile that has *USE authority to the IBM programs QWTSETP, QSYGETPH, and QSYRLSPH, the incoming userid and password for a transfer will be verified and, if valid, the transfer will run under that userid.

If the XCOMSRVR is started with a userid that DOES NOT HAVE authority to the IBM programs QWTSETP, QSYGETPH, and QSYRLSPH, the incoming userid and password will be ignored and the transfer will run under the user profile that started the XCOM TCP/IP server.

Here is how it works.

    1. The user profile that starts the XCOM TCP/IP server program with the STRXCOMTCP command has authority to the IBM programs QWTSETP, QSYGETPH, and QSYRLSPH. In this case, when a remotely initiated TCP/IP transfer comes in, the incoming userid and password are verified and the transfer runs under that user profile. This is possible because the XCOM TCP/IP server has authority to switch to that userid.

      To illustrate what you will see in the log:

         2900 - CHKOBJ OBJ(*LIBL/QWTSETP) OBJTYPE('*PGM') MBR(*NONE)
      AUT('*USE')
         5200 - RETURN



  1. The user profile that started the XCOMSRVR program does not have authority to the IBM programs QWTSETP, QSYGETPH, and QSYRLSPH. In this case, the incoming userid and password are not validated and the transfer runs under the userid that started the XCOMSRVR program. This happens when the XCOM TCP/IP server has no authority to switch to that userid. Any userid and password are accepted, even invalid userids.

    To illustrate what you will see in the log:

       2900 - CHKOBJ OBJ(*LIBL/QWTSETP) OBJTYPE('*PGM') MBR(*NONE)
    AUT('*USE')
       Not authorized to object QWTSETP in QSYS.

Refer to TEC264610 for more details.